On 2 February 2012 01:36, Richard Jones <[email protected]> wrote: > Summarising the responses: > > 8 at +1 > 3 at -1 > > Several posts with no stated positions. >
Several posts with no explicit -1, but I see objections/misgivings from the following: Me Martin Loewis Phillip Eby Antoine Pitrou Robert Collins MA Lemburg Plus Chris Withers sceptical of the "security" advantages, although not explicitly objecting. Note that even if this hole is plugged it still offers no security advantage to users of tools like pip/easy_install - all a package maintainer has to do is switch to hosting the download themselves and the tools will still merrily install the specified version from wherever it is hosted (using the download link from pypi). So the *only* security fix is to specify a secure hash to the install tool, not screw over package maintainers with more restrictions on pypi. Given the issues with md5, adding SHA (or similar) hashes to pypi would be a much better use of time (IMO). All the best, Michael Foord > > Given it appears to be controversial, I'm just going to drop it. I > just don't need the aggravation. PyPI can retain its ability to serve > up potentially confusing file content. > > > Richard > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig > -- http://www.voidspace.org.uk/ May you do good and not evil May you find forgiveness for yourself and forgive others May you share freely, never taking more than you give. -- the sqlite blessing http://www.sqlite.org/different.html
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
